SOC 2 Trust Services Criteria

SOC 2 Trust Services Criteria Overview

SOC 2 Trust Services criteria controls aim to facilitate the complexity of implementing AICPA security considerations. The framework offers a world-class standard by breaking down the security requirements into 5 main categories. A candidate organization that is willing to get the final reports needs to adhere to these categories and pass the audit process, which will provide it with a competitive advantage.

We’re going to explain all about the SOC 2 Trust Services criteria in this article. Feel free to read this article if you want to find answers to the following questions:

● What do you mean by the SOC 2 Trust Services criteria?

● What controls are included in the SOC 2 Trust Services criteria?

● How are the SOC 2 Trust Services criteria organized?

● Can we map SOC 2 requirements onto another framework?

● How do the SOC 2 Trust Services criteria benefit your organization?

● How can you start deploying the SOC 2 Trust Services criteria in your company?

History of SOC 2 Trust Services Criteria Controls

To find out the purpose and potency of the SOC 2 Trust Services criteria controls, it’s helpful to know how and when the framework was first structured.

Back in the early 1970s, the American Institute of Certified Public Accountants (AICPA) released the Statement on Auditing Standards 1 (SAS 1).

It was an auditing process that defined an independent auditor’s responsibilities. Years later, in 1992, SAS 70 was created and released to help organizations understand how their controls work. Since the previous versions couldn’t meet all the needs of companies, SSAE 16 was created in 2010.

SOC is the result of SSAE 16, which consists of three new reports, including SOC 1, SOC 2, and SOC 3.

What are the SOC 2 Trust Services Criteria?

The audit process is based on 5 main principles called Trust Services Criteria.

These principles each cover specific controls that should be implemented, tested, and maintained throughout the process.

Note that the first category (Security) is required to be in the scope of every audit, and it’s a must-have principle. So, we call it the Trust Services criteria, and controls coming under this principle are all the SOC 2 Trust Services criteria controls.

Security: How to Make it Real?

Security is a vital part of the framework, and all audits must cover this requirement completely.

Willing to know how security is achieved in an organization? The security element refers to a company’s ability, power, and authority to protect its data against unauthorized access.

All organizations are responsible for securely collecting, storing, and processing their clients’ data and safeguarding these sensitive types of data against data breaches.

Availability: How to Make it Real?

Besides the security principle, availability is the second most Trust Services requirement in this framework. It focuses on systems and data to make them available all the time for operation and use.

Systems should always be in access, and our approach should be working on minimizing downtimes and bottlenecks.

Confidentiality: How to Make it Real?

Confidentiality is important when an organization deals with sensitive data, such as personal information or health records.

In this category, cyber security experts work to guarantee that policies are in place regarding the protection of data, usage, and access.

Processing Integrity: How to Make it Real?

An organization’s system processing should follow this principle. This principle covers all the controls that guarantee processes in an organization are accurate, timely, and authorized always.

Integrity is an important factor for those online businesses that are working in the E-commerce industry. This proves customers will have no concern about transactional integrity, and all processes will work as one unit.

Privacy: How to Make it Real?

The last principle focuses on users’ personal information. Suppose how much of this information is collected, used, and processed in an online business that should be protected against disclosure.

User credentials, user names, passwords, addresses, and all types of personal data are classified under this category to be protected through the privacy principle.

SOC 2 Common vs Trust Service Criteria

This framework is all about safeguarding and protecting organizational and individual information.

It helps organizations find out if data is secure during its collection or not. What about processing? How is this data created, stored, and handled?

The framework defines a common criteria list, also known as CC-series, helping cyber security teams better achieve their goals:

● Control environment

● Communication and information

● Risk assessment

● Monitoring controls

● Control activities

● Logical and physical access controls

● System operations

● Change management

● Risk mitigation

How TSCs Apply to a Company’s Processes?

Each audit can be as unique as the service organization itself. In short, some of the security concepts defined in this framework might not be required by a specific company.

The first principle, called security, is vital, but the others can be tailored according to the type of service organizations.

All in all, those concepts fall into 2 main classifications as below:


There are a lot of considerations and security practices that aim to secure IT systems in a company. Systems are secured by implementing security, availability, and processing integrity principles, and this is the main responsibility of your cyber security team.

This covers a wide variety of areas, such as identity and access management, administrative policies, and human resources, that result in a successful audit.

Processing Data

Confidentiality and privacy are two important principles that focus on data instead of systems. If an organization has access to data coming from clients, these principles should be taken into account.

Overall, these parts focus on evaluating how those types of data and sensitive information are collected, used, retained, disclosed, and processed by the organization.

How SOC 2 Trust Services Criteria Work

TSCs are like standards that lead a service organization in its pathway toward cyber security maturity.

At last, the trust services criteria must be met to get the desired reports. To meet the criteria, companies need to design and implement specific and tailored controls to adequately address the AICPA-defined concepts.

As a service organization, you can contact your third-party auditor and ask them to help you out in the design process. Design of controls is a critical step toward success, and you can count on an auditor’s experience to perform this for your company.

All things considered, there are 2 main steps in front of service organizations, called the design process and the implementation process. After that, a third-party auditor can start the audit process and provide the final report as a SOC-2 certification.

Organizational Procedures According to SOC 2 TSCs: The Creation Process

There are many practices that help cyber security teams design security controls. Typically, these teams start their work by utilizing a risk-based approach, meaning they focus on analyzing risks first.

Designing and defining controls in a service organization can be an exhaustive process requiring hours of work. However, cyber security frameworks such as SOC 2 have simplified this process, and you only need to choose those important controls and start implementing them.

Organizational Procedures According to SOC 2 TSCs: The Implementation Process

There is a need for developing and establishing a solid foundation if you want to implement defined controls without any issues. This is the reason why service organizations need to work with an experienced and certified team to get rid of all those problems.

The precision and adequacy of your implementation plan determine your success during the audit process. As a result, deploying and maintaining the controls show that you can successfully finish a SOC 2 audit process.

How to Get Started for SOC 2 Compliance?

Implementing the SOC 2 Trust Services criteria in an organization can be stressful, but achieving continuous compliance with Nordic Defender’s services is within reach.

Generally, there are 5 main steps that lead your organization to have all those controls in place and benefit from SOC 2 certification.

● Defining the scope of the process

● Gap analyzing and control mapping

● Documenting the cybersecurity programs

● Choosing a certified auditor

● Starting the audit process

Cloud Computing

Migrating from on-premise data centers to cloud hosting feels like a concern. However, it is not true when you stick to the required cybersecurity controls defined by a framework.

Information Technology

The IT industry can greatly benefit from such frameworks, especially when an IT company wants to sign new contracts. SOC 2 certification shows your company strictly adheres to that framework’s security controls and respects clients’ data security.

Security Management

This framework acts as an all-in-one security standard that comes with security management considerations.

SOC 2 covers all the requirements which are essential to manage and maintain IT security in an organization.

Medical Data Processing

Aside from securely collecting and storing patients’ data, using that data in a proper way is also important. Medical organizations and clinics can offer their patients an additional feature by providing SOC 2 certification.

Undergoing a SOC 2 audit demonstrates that your organization has invested and committed to offering secure services and that patients’ data and personal information are safe and protected.

Insurance Data Processing

Your business continuity, competitive advantage, branding, and client satisfaction in the insurance industry all depend on the quality and security of your systems.

This level of security is provided by cybersecurity frameworks like SOC 2 that cover all the necessities in one place. By providing such an audit report, your insurance organization has a new branding tool in hand. You can market your organization now that has reliable and secure services.

Healthcare Device Development and Management

Physical device safety and protection are an important part of all cyber security frameworks. Physical security is a deeply important component of the SOC 2 trust service criteria controls, and the framework is highly on alert to secure and protect hardware and devices.

If an attacker is able to physically gain access to any of your equipment, they may be able to steal the data or get a copy of it. So, physical access controls are applied in the SOC 2 trust service criteria controls list.


The Pharmaceutical industry can facilitate the assessment and deployment of security controls through SOC 2. The SOC 2 criteria controls not only protect your R&D data but also promises to protect your brand’s reputation and continuity.

By achieving such an audit certification, clients in the healthcare space will significantly benefit from added layers of trust and confidentiality. The SOC 2 criteria controls are considered rigorous standards, and they assess compliance and protection of pharmaceutical companies at a high level.

SaaS Vendors

At first glance, acquiring SOC 2 audit reports for SaaS vendors feels like a complex process. But don’t worry, as we’ve streamlined the process in Nordic Defender.

SaaS providers are on the frontline since they deal with different cybersecurity threats daily. Like other business models, the SOC 2 criteria controls can be applied in a SaaS business, and these types of businesses can prioritize the required controls one by one to implement only the controls that are relevant to their operations.

Records Management Companies

In the case of document and record management companies, firms need to be able to securely handle and process documents and customer archives.

Doing so is a pivotal requirement, and becoming compliant with a cybersecurity framework proves this. Record management companies can start their journey by focusing only on the SOC 2 criteria controls that effectively help them become the safest and most protected businesses.

Legal Industry

There are a lot of legal documents recorded and processed in a legal firm. These documents hold clients’ sensitive information, and they should be protected against security threats.

Implementing the SOC’s five requirements proves a legal firm is meeting predetermined trust and security principles and it securely handles and maintains the recorded documents.

What is SOC 2 Mapping?

SOC 2 criteria mapping refers to the process of benefiting from SOC 2 requirements in another cybersecurity framework.

There are a lot of security considerations in this framework that generally or technically can be used in other security frameworks, such as ISO 27001, GDPR, etc.

SOC 2 Mapping to ISO 27001

The majority of ISO 27001 requirements and security controls can be mapped to the SOC 2 trust services criteria.

Interestingly, there are 114 controls in the ISO 27001 framework, and SOC 2 covers many of them in 5 main categories.

SOC 2 Mapping to NIST CSF

Hopefully, the NIST CSF framework maps nicely to the SOC-2 trust service criteria. NIST is organized into 5 functions and 23 categories. These five functions are identify, protect, detect, respond, and recover, which have been designed to be logically aligned and mapped to other security frameworks.

SOC 2 Mapping to EU GDPR

GDPR is engineered to protect EU citizens’ personal data and information. It applies to any organization that wants to work in the EU region and consists of 99 articles.

GDPR includes 11 chapters that define how an organization must act to secure the information protection and privacy of users. Almost all of chapters 2 and 3 and most of chapter 4 can be mapped to the SOC 2 TSCs.

How Nordic Defender Helps Your Organization

Nordic Defender is a full-service cyber security team that aims to provide your organization with comfort and peace of mind.

Our cyber security team offers a wide range of products in managed packages. If you want to become compliant with a cybersecurity framework, such as GDPR or SOC 2, we are ready to help you.

Nordic Defednder vCISO


The AICPA Trust Services Criteria define 5 main categories for evaluating and leveling up an organization’s security controls. The SOC 2 criteria are an important part of the framework by which companies can start their journey and take action for a SOC 2 certification. Ultimately, no two SOC 2 audits are identical, and the framework gives you permission to deploy particular security concepts and become compliant with the framework.

Frequently Asked Questions

How many trust service controls are there in the SOC 2 framework?

● SOC 2 consists of 5 main trust services criteria defined in 64 individual requirements. Controls help security teams measure the efficacy of these requirements.

 Is the SOC 2 framework flexible?

● It can be inferred from the article that all the SOC 2 requirements have flexibility built in. Typically, there is no mandatory prescription saying you should use a specific type of password manager or your security policy should be a particular one.

What do you mean by SOC 2 mapping?

● Many organizations opt for compliance with several cybersecurity frameworks. Each of these frameworks has specific requirements and controls. SOC 2 mapping helps map the requirements onto the requirements of other frameworks, including ISO 27001, GDPR, etc.

What controls are defined in the SOC 2 common criteria?

● Some important controls include access control, intrusion detection systems, firewalls, and incident monitoring. Data encryption and network control are also essential parts of the SOC 2 common criteria.

What is CC-series in the SOC 2 framework?

● CC-series stands for SOC 2 common criteria, which includes nine subcategories. This is an essential list of cyber security controls that define the most important controls implemented in this framework.

Leave a Comment

Your email address will not be published. Required fields are marked *